Screenshot loophole could leave app open to data thef t
NEW data protection and fraud fears have been raised about Scotland’s coronavirus vaccine passport app after it emerged that copies of personal health information can be taken.
Health Secretary Humza Yousaf insisted earlier this week that workers checking the vaccine passport details in a specially created mobile phone verifier app could not take screenshots of the information.
But it has now emerged they can take a screenshot on a smartphone, meaning that personal information about customers including their name, date of birth and vaccine status could be stored on their device.
Critics say the scheme is wide open to fraud and abuse, as people are also able to share screenshots of their QR barcode.
Mr Yousaf had claimed in a BBC Radio Scotland interview on Monday it was impossible to take screenshots of information displayed on the app.
But the Mail yesterday used the verifier app to scan a vaccine certificate QR barcode and could then easily take a screenshot on a smartthe phone, providing a name, date of birth, type of coronavirus vaccine issued and the date it was received.
The app, which cost £600,000, has already been beset by major technical glitches, which led to the SNP Government delaying enforcement of the scheme, originally planned for earlier this month, until this week.
Businesses have been told that they are allowed to ‘visually’ check QR codes when screening customers, meaning it would be simple for an unvaccinated person to get around the requirement if they have a friend willing to share an image, or obtain records of a vaccinated person without their consent.
Alex Cole-Hamilton, the leader of the Scottish Liberal Democrats, said it was clear that the system could be ‘outfoxed by anyone who knows how to take a screenshot’ and repeated his call for it to be scrapped.
Mr Cole-Hamilton said: ‘The launch was a shambles and the IT system struggled to cope. The data protection is virtually non-existent, given that this expensive system can be outfoxed by anyone who knows how to take a screenshot.
‘At the same time, industry leaders and human rights organisations have been dragging the Government over coals. What’s worse is that these illiberal ID cards will not even keep people safe. It will breed false confidence and allow the virus to spread under the radar.
‘This whole saga has been a shameful distraction from the measures that we know can help us defeat the virus: testing, tracing and vaccinating. Covid ID cards should be abolished immediately.’
A Scottish Government spokesman said: ‘In his interview the Cabinet Secretary was clearly referring to the Covid Check Verifier App which is used by business to verify a person’s QR code. The ability to take a screenshot has been disabled from android devices.
‘Furthermore, under the regulations venues are under a statutory duty to treat information in confidence and not use it for another purpose.
‘We recognise that it is possible to take a screenshot of the Covid Status app but the shimmer security features built into the app mean that it should be possible to distinguish between the app and a screenshot.’
Earlier this week, it emerged that more than two million double-jabbed Scots still do not have a vaccine passport – amid claims the Government has failed to do enough to publicise the scheme.
Fewer than 1.5million people have downloaded the vaccine passport app or obtained a paper copy of their vaccine certificate in time for the scheme becoming legally enforceable on Monday.
This means that more than 2.3million of the 3,863,481 people over the age of 18 in Scotland who have received both doses of the vaccine still do not have the evidence required to gain access to football matches, indoor events, nightclubs and late-opening bars with dancing.
Hospitality leaders also hit out this week at the lack of a sufficient public awareness campaign to inform people of the rules.
‘System can be outfoxed’